OSX.Dummy Malware Targets Cryptocurrency Users

A new Mac malware, dubbed “OSX.Dummy,” was identified by Remco Verhoef of SANS ISC and then analyzed by security researcher Patrick Wardle. In recent campaigns, attackers posed as administrators in cryptocurrency-related chatrooms on Slack and Discord, prompting users to copy and execute a short shell script that downloads a malicious 34MB binary called script. The malware establishes the script’s ownership to root, sets it to be executable, prompts the user for a root password, and saves the clear text password in a dumpdummy.txt file. The malware also gains persistence by setting up a daemon that allows the script to be run at all system startups. The Python script opens a connection to a malicious server on port 1337 and sets up a reverse shell, giving the remote host access to the victim’s computer. Since the malware is executed from within the terminal, it evades macOS Gatekeeper security, even though it is unsigned. It is believed that the threat actors behind this campaign are interested in cryptocurrency theft. The NJCCIC highly recommends all Mac users and administrators review the Malwarebytes report, take caution when executing unfamiliar code from unverified sources, and regularly run up-to-date anti-virus/anti-malware programs. Users and administrators are advised to block the malicious IP source: 185.243.115.230. For more information on securing your macOS devices, please visit our Mac Malware threat profile page.